Help Center/ Cloud Eye/ User Guide/ Access Center/ Connecting to Prometheus or Grafana/ Installing and Configuring cloudeye-exporter in AK/SK Mode
Updated on 2026-06-29 GMT+08:00

Installing and Configuring cloudeye-exporter in AK/SK Mode

You can configure cloudeye-exporter to connect Cloud Eye metrics to other monitoring platforms, such as Prometheus. Before connection, you need to install and configure cloudeye-exporter.

This section describes how to install and configure cloudeye-exporter in AK/SK mode.

Constraints

  • Currently, cloudeye-exporter can be installed only on Linux x86 OSs. The host specifications must be 4 vCPUs | 8 GiB or higher.
  • If you use a local system to deploy cloudeye-exporter, ensure that the network can connect to the public network to query resource and metric data.
  • If you deploy cloudeye-exporter on an ECS, you must bind an EIP to the ECS to access data. For details about how to bind an EIP, see Binding an EIP to an Instance.
  • For details about the extended labels supported by cloudeye-exporter, see Extended Labels Supported.
  • When starting cloudeye-exporter, you need to use a permanent access key of your Huawei Cloud account. Temporary access keys will not work.

Prerequisites

  • You have obtained the password of user root and private IP address of the server where cloudeye-exporter is to be deployed.
  • Ensure that the Huawei Cloud account used in the cloudeye-exporter configuration file has the permissions for exporting monitoring data. For details, see APIs and Actions Required for cloudeye-exporter to Export Monitoring Data.
  • You have obtained the access key of the Huawei Cloud account. For details about how to obtain an access key, see Creating an Access Key.

Preparing Environments

The following uses Ubuntu 18.04 as an example.

Table 1 Preparing environments

Environment

Description

ECS OS

Ubuntu 18.04

ECS private IP address

192.168.0.xx

Installing and Configuring cloudeye-exporter

  1. Go to the cloudeye-exporter open-source project and obtain the cloudeye-exporter download address.

    For example, for v2.0.31, the download address is https://github.com/huaweicloud/cloudeye-exporter/releases/download/v2.0.31/cloudeye-exporter-v2.0.31.tar.gz.

  2. Log in to the ECS where cloudeye-exporter is deployed as user root. For details, see Login Overview (Linux).
  3. Download cloudeye-exporter.
    mkdir cloudeye-exporter
    cd cloudeye-exporter
    wget https://github.com/huaweicloud/cloudeye-exporter/releases/download/v2.0.31/cloudeye-exporter-v2.0.31.tar.gz
  4. After the download is successful, decompress the installation package.
    tar -xzvf cloudeye-exporter-v2.0.31.tar.gz
  5. Edit the configuration file clouds.yml to configure public cloud information.
    The following uses the CN North-Beijing4 region as an example:
    global:
      prefix: "huaweicloud"
      port: "127.0.0.1:8087"
      scrape_batch_size: 300
      resource_sync_interval_minutes: 20
      ignore_ssl_verify: false
    auth:
      auth_url: "https://iam.cn-north-4.myhuaweicloud.com/v3"
      project_name: "cn-north-4"
      access_key: ""
      secret_key: ""
      region: "cn-north-4"
    Table 2 global parameters

    Parameter

    Description

    Example Value

    prefix

    The cloudeye-exporter tool automatically combines the queried metric data with this prefix. The default prefix is huaweicloud. Retain the default value.

    huaweicloud

    port

    Port used by the listener.

    For security purposes, you are advised not to expose the exporter service port to the public network. You are advised to set this parameter to 127.0.0.1:{Port} or {Private IP address}:{Port}, for example, 192.168.1.100:8087. If you need to expose the port, ensure that access control policies, such as security groups, firewalls, and iptables, follow the principle of least privilege.

    CAUTION:

    The default port is 8087.

    192.168.1.100:8087

    scrape_batch_size

    Number of records per page for querying Cloud Eye metric data. For example, 300 indicates that each page contains 300 metric data records. Retain the default value.

    300

    resource_sync_interval_minutes

    Interval at which resource information is updated, in minutes. The default value is 180. If the value is less than 10 minutes, the resource information will be updated every 10 minutes.

    20

    ep_ids

    (Optional) Enterprise project IDs for filtering resources. For details about cloud resources that support this feature, see Table 1. If this parameter is not configured, metrics of all resources are queried by default. Use commas (,) to separate multiple enterprise project IDs. For details about how to view the ID of an enterprise project, see Obtaining an Enterprise Project ID.

    c3dddfcb-7f21-4ac3-a386-24xxx1,c3dddfcb-7f21-4ac3-a386-24xxx2

    logs_conf_path

    (Optional) Path of the log configuration file. You are advised to use an absolute path. If it is not added to the configuration file or is left blank, the log configuration file logs.yml in the directory where the startup command is executed is used by default.

    /root/logs.yml

    metrics_conf_path

    (Optional) Path of the metric configuration file. This file is used to configure a metric whitelist.

    An absolute path is recommended. If it is not added to the configuration file or is left blank, the metric configuration file metric.yml in the directory where the startup command is executed is used by default.

    /root/metric.yml

    endpoints_conf_path

    (Optional) Path of the service domain configuration file.

    An absolute path is recommended. If it is not added to the configuration file or is left blank, the service domain configuration file endpoints.yml in the directory where the startup command is executed is used by default.

    /root/endpoints.yml

    ignore_ssl_verify

    (Optional) Whether to verify the SSL certificate when the exporter queries resources or metrics. If functions are abnormal due to SSL certificate verification, you can set this parameter to true to skip verification. Possible values are:

    • true: skips SSL certificate verification during resource or metric data query. Use this value if functions are abnormal due to SSL certificate verification, for example, monitoring data query fails.
    • false: verifies the SSL certificate during resource or metric data query.

    false

    client_cn

    (Optional) Trusted DNS list, which is used to verify the DNS names in the HTTPS certificate chain. Use commas (,) to separate multiple DNS names in the list.

    100.125.1.250

    unit_standardization_enabled

    (Optional) Whether to enable the unit optimization capability of metric data. This function is disabled by default. After this function is enabled, the original unit is consistent with that on the Cloud Eye console and that described in the help documentation. It also introduces unit_v2 to set clearer standards for Huawei Cloud service metrics. These standards improve readability and allow you to select units when configuring visual dashboards like Grafana dashboards.

    false

    i18n_config_file_path

    (Optional) The label optimization capability of metric data depends on the Cloud Eye internationalization (i18n) configuration. By default, the exporter obtains the i18n configuration by calling the Cloud Eye i18n API. If the API is unavailable, you are advised to specify the local file path of the i18n configuration.

    /root/i18n.json

    unit_standardization_file_path

    (Optional) The unit label optimization capability of metric data depends on this file. You are advised to specify the path of this file when enabling the optimization capability. This parameter is valid only when unit_standardization_enabled is set to true.

    /root/unit_standard_transform.json

    metric_timestamp_export_enabled

    (Optional) Whether to export the original timestamp of a metric. The default value is false. After this function is enabled, the value of the metric timestamp field is the actual collection time. Otherwise, the value is the time when the monitoring platform (for example, Prometheus) exports metric data requested by the exporter.

    false

    metric_query_duration

    (Optional) Interval for querying metric data. The default value is 10 minutes. You can set this parameter based on the metric reporting period.

    Range:

    10–60

    Unit:

    Minute

    10

    proxy_schema

    (Optional) Proxy protocol, which is required when you need to query resources or metrics via a proxy.

    http

    proxy_host

    (Optional) Proxy address, which is required when you need to query resources or metrics via a proxy.

    proxy.huaweicloud.com

    proxy_port

    (Optional) Proxy port, which is required when you need to query resources or metrics via a proxy.

    8080

    proxy_username

    (Optional) Username for proxy authentication, which is required when the configured proxy requires authentication.

    NOTE:

    For security purposes, you can also use the -p parameter when starting the cloudeye-exporter and enter the username and password for proxy authentication. This prevents plaintext configuration leakage in the clouds.yml file.

    username

    proxy_password

    (Optional) Password for proxy authentication, which is required when the configured proxy requires authentication.

    password

    rms_retry_times

    (Optional) Maximum number of retries when a resource fails to be queried from Config. The maximum value is 10, and the default value is 1.

    1

    Table 3 auth parameters

    Parameter

    Description

    Example Value

    auth_url

    IAM user authentication address. The format is https://iam.{region_id}.myhuaweicloud.com/v3. For details about region_id, see the Region column on the Regions and Endpoints page.

    https://iam.cn-north-4.myhuaweicloud.com/v3

    project_name

    Huawei Cloud project name.

    You can log in to the IAM console to view all projects of your account.

    cn-north-4

    access_key

    AK of the IAM user. For details about how to obtain an access key, see Creating an Access Key.

    For security purposes, you are advised to configure the encrypted AK and SK in the configuration file. The exporter can only transfer plaintext AK and SK. Therefore, you need to decrypt the AK and SK in the script using your own method.

    NOTE:

    You can also use the -s parameter and enter the AK and SK when starting the cloudeye-exporter to prevent plaintext configuration leakage in the clouds.yml file.

    your_decrypt_function("Encrypted AK")

    secret_key

    SK of the IAM user, which is used together with access_key.

    your_decrypt_function("Encrypted SK")

    region

    ID of the region where the metric data belongs. For details about the region ID, see Regions and Endpoints.

    cn-north-4

  6. Start cloudeye-exporter.

    You can try Starting cloudeye-exporter Using Commands or Starting cloudeye-exporter Using a Shell Script. Both methods are simple and quick, suitable for temporary debugging. For startup using a script, write the commands and parameters into a shell script. The script file can be saved and reused for easy management.

  • If you use the clouds.yml file in the cloudeye-exporter directory, run the following command to start the exporter:
    ./cloudeye-exporter
  • If you need to use the clouds.yml file in another directory, use the -config parameter to specify the path of the clouds.yml file.
    ./cloudeye-exporter -config=/root/clouds.yml
  • For security purposes, the cloudeye-exporter provides startup parameters to prevent AK/SK, proxy, and HTTPS information in the clouds.yml file from being leaked.

    -s: Enter the AK/SK in the command-line interface.

    -p: Enter the username and password of the proxy in the command-line interface.

    -k: To start the cloudeye-exporter using HTTPS (two-way authentication), enter the CA certificate path, server HTTPS certificate path, server HTTPS private key path, and private key password in the command-line interface. (You are advised to use the CA certificate purchased by your company and authenticated by an authoritative organization to create a two-way certificate. Self-signed certificates are also supported. Upload the certificate to the server, for example, /opt/cloud/cloudeye-exporter.)

  • For multiple parameters, use the sequence: -s -p -k.
    ./cloudeye-exporter -s true -p true -k true
  1. Create a shell script.
  2. Add the following information to the script.

    For security purposes, cloudeye-exporter provides startup parameters. You are advised to configure the encrypted AK, SK, proxy password, CA certificate, server HTTPS certificate, private key, private key password, and proxy username in a shell script. Then pass them to the cloudeye-exporter using the huaweiCloud_AK, huaweiCloud_SK, huaweiCloud_ProxyUserName, huaweiCloud_ProxyPassword, root_path, server_crt_path, server_key_path, and huaweiCloud_https_password parameters.

    #!/bin/bash
    huaweiCloud_AK=your_decrypt_function("Encrypted AK")
    huaweiCloud_SK=your_decrypt_function("Encrypted SK")
    
    huaweiCloud_ProxyUserName="userName"
    huaweiCloud_ProxyPassword=your_decrypt_function("Encrypted proxy password")
    
    huaweiCloud_https_ca=your_decrypt_function("Encrypted CA certificate")
    huaweiCloud_https_crt=your_decrypt_function("Encrypted HTTPS certificate")
    huaweiCloud_https_key=your_decrypt_function("Encrypted HTTPS private key")
    huaweiCloud_https_password=your_decrypt_function("Encrypted HTTPS private key password")
    
    root_path="/opt/cloud/cloudeye-exporter/root_crt"
    server_crt_path="/opt/cloud/cloudeye-exporter/server_crt"
    server_key_path="/opt/cloud/cloudeye-exporter/server_key"
    
    # Write the CA certificate to a temporary CA file, which will be automatically deleted after the exporter reads it.
    cat > $root_path << EOF
    $huaweiCloud_https_ca
    EOF
    # Write the HTTPS certificate to a temporary certificate file, which will be automatically deleted after the exporter reads it.
    cat > $server_crt_path << EOF
    $huaweiCloud_https_crt
    EOF
    # Write the private key to a temporary private key file, which will be automatically deleted after the exporter reads it.
    cat > $server_key_path << EOF
    $huaweiCloud_https_key
    EOF
    ./cloudeye-exporter -s=true -p=true -k=true<<EOF
    $huaweiCloud_AK $huaweiCloud_SK
    $huaweiCloud_ProxyUserName $huaweiCloud_ProxyPassword
    $root_path $server_crt_path $server_key_path $huaweiCloud_https_password
    EOF

Follow-Up Operations

After the cloudeye-exporter is started, you can view monitoring data by referring to Exporting Monitoring Data to Self-built Prometheus/Grafana.

APIs and Actions Required for cloudeye-exporter to Export Monitoring Data

Basic permissions listed in Table 4 are required for exporting monitoring data of cloud services. Some services require both basic and specific permissions. For details about the cloud services and the required permissions, see Table 5.

Table 4 Basic permissions

Service

Action

API

Description

IAM

iam:projects:listProjects

/v3/projects

Lists projects based on specified conditions.

IAM

Any global permission.

/v3/auth/domains

Obtains account information accessible to an IAM user.

Cloud Eye

ces:namespacesDimensions:list

/v2/{project_id}/instances/{instance_id}/agent-dimensions

Queries server monitoring metrics.

Cloud Eye

ces:metrics:list

/V1.0/{project_id}/metrics

Lists metrics supported by Cloud Eye.

Cloud Eye

ces:metricData:list

/V1.0/{project_id}/batch-query-metric-data

Queries the monitoring data of a specified metric at a specified granularity in a specified time range in batches.

Config

rms:resources:list

/v1/resource-manager/domains/{domain_id}/provider/{provider}/type/{type}/resource

Lists resources of a specific type.

EPS

eps:enterpriseProjects:list

/v1.0/enterprise-projects

Lists enterprise projects.

Table 5 Cloud service query APIs and actions

Service

Action

API

Description

API Connect

apig:instances:list

/v2/{project_id}/apigw/instances

Lists dedicated gateways.

apig:apis:list

/v2/{project_id}/apigw/instances/{instance_id}/apis

Lists APIs.

apig:instances:get

/v2/{project_id}/apigw/instances/{instance_id}

Queries details of a dedicated gateway.

apig:apps:list

/v2/{project_id}/apigw/instances/{instance_id}/apps

Lists applications.

apig:groups:list

/v2/{project_id}/apigw/instances/{instance_id}/api-groups

Lists API groups.

apig:plugins:list

/v2/{project_id}/apigw/instances/{instance_id}/plugins

Lists plug-ins.

CBR

cbr:vaults:list

/v3/{project_id}/vaults

Lists vaults.

Cloud Connect

cc:cloudConnections:list

/v3/{domain_id}/ccaas/cloud-connections

Lists cloud connections.

cc:bandwidthPackages:list

/v3/{domain_id}/ccaas/bandwidth-packages

Lists bandwidth packages.

cc:interRegionBandwidths:list

/v3/{domain_id}/ccaas/inter-region-bandwidths

Lists inter-region bandwidths.

CDM

cdm:cluster:list

/v1.1/{project_id}/clusters

Lists clusters.

CloudTable

cloudtable:cluster:list

/v2/{project_id}/clusters

Lists clusters.

DIS

dis:stream:list

/v2/{project_id}/streams

Lists streams.

DDMS

ddm:instance:list

/v1/{project_id}/instances

Lists DDM instances.

Anti-DDoS

cnad:package:list

/v1/cnad/packages

Lists instances.

cnad:protectedIp:list

/v1/cnad/protected-ips

Lists protected objects.

DDS

dds:instance:list

/v3/{project_id}/instances

Lists instances.

DLI

dli:jobs:listAll

/v1.0/{project_id}/streaming/jobs

Lists Flink jobs.

dli:elasticresourcepool:list

/v3/{project_id}/elastic-resource-pools

Lists all elastic resource pools.

DWS

dws:openAPICluster:list

/v1.0/{project_id}/clusters

Lists clusters.

ELB

elb:loadbalancers:list

/v3/{project_id}/elb/loadbalancers

Lists load balancers.

elb:listeners:list

/v3/{project_id}/elb/listeners

Lists listeners.

elb:pools:list

/v3/{project_id}/elb/pools

Lists backend server groups.

elb:availability-zones:list

/v3/{project_id}/elb/availability-zones

Lists AZs.

GaussDB v5

gaussdb:instance:list

/v3/{project_id}/instances

Lists DB instances.

GCB

cc:gcbandwidths:list

/v3/{domain_id}/gcb/gcbandwidths

Lists global connection bandwidths.

LTS

lts:groups:list

/v2/{project_id}/groups

Lists all log groups of an account.

lts:topics:list

/v2/{project_id}/groups/{log_group_id}/streams

Lists all log streams in a log group.

LakeFormation

lakeformation:instance:list

/v1/{project_id}/instances

Lists instances.

ModelArts

modelarts:service:get

/v1/{project_id}/services/{service_id}

Obtains details about a model service.

MRS

mrs:cluster:list

/v1.1/{project_id}/cluster_infos

Lists clusters (V1).

GeminiDB

nosql:instance:list

/v3/{project_id}/instances

Queries instances and details.

SFS

sfs:shares:getShare

/v2/{project_id}/shares

Lists all shared file systems.

WAF (Premium)

waf:premiumInstance:list

/v1/{project_id}/premium-waf/instance

Lists dedicated WAF instances.